+strongswan-5.9.14
+-----------------
+
+- Support for the IKEv2 OCSP extensions (RFC 4806) has been added, which allows
+ peers to request and send OCSP responses directly in IKEv2.
+
+- Validation of X.509 name constraints in the constraints plugin has been
+ refactored to align with RFC 5280.
+
+- The dhcp plugin has been ported to FreeBSD/macOS.
+
+- The openssl plugin is now compatible with AWS-LC.
+
+- Overflows of unique identifiers (e.g. Netlink sequence numbers or reqids) are
+ now handled gracefully.
+
+- Updated the pkcs11.h header based on the latest OpenSC version in order to
+ include new algorithm and struct definitions for the pkcs11 plugin.
+ Added support for PSS padding in smartcard-based RSA signatures using either
+ on-chip or external data hashing.
+
+- Added keyid and certid handles in the pki --ocsp command so that keys and/or
+ certificates can be stored on a smartcard or in a TPM 2.0 device.
+
+- Fail SA installation on Linux if replay protection is disabled while ESN is
+ enabled, which the kernel currently doesn't support.
+
+
+strongswan-5.9.13
+-----------------
+
+- Fixes a regression with handling OCSP error responses and adds a new
+ option to specify the length of nonces in OCSP requests. Also adds some
+ other improvements for OCSP handling and fuzzers for OCSP
+ requests/responses.
+
+
+strongswan-5.9.12
+-----------------
+
+- Fixed a vulnerability in charon-tkm related to processing DH public values
+ that can lead to a buffer overflow and potentially remote code execution.
+ This vulnerability has been registered as CVE-2023-41913.
+
+- The new `pki --ocsp` command produces OCSP responses based on certificate
+ status information provided by plugins.
+
+ Two sources are currently available, the openxpki plugin that directly
+ accesses the OpenXPKI database and the `--index` argument, which reads
+ certificate status information from OpenSSL-style index.txt files.
+
+- The cert-enroll script handles the initial enrollment of an X.509 host
+ certificate with a PKI server via the EST or SCEP protocols.
+
+ Run as a systemd timer or via a crontab entry the script daily checks the
+ expiration date of the host certificate. When a given deadline is reached,
+ the host certificate is automatically renewed via EST or SCEP re-enrollment
+ based on the possession of the old private key and the matching certificate.
+
+- The --priv argument for charon-cmd allows using any type of private key.
+
+- Support for nameConstraints of type iPAddress has been added (the openssl
+ plugin previously didn't support nameConstraints at all).
+
+- SANs of type uniformResourceIdentifier can now be encoded in certificates.
+
+- Password-less PKCS#12 and PKCS#8 files are supported.
+
+- A new global option allows preventing peers from authenticating with trusted
+ end-entity certificates (i.e. local certificates).
+
+- ECDSA public keys that encode curve parameters explicitly are now rejected by
+ all plugins that support ECDSA.
+
+- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
+ also use the name in connection.interface-name.
+
+- The resolve plugin tries to maintain the order of installed DNS servers.
+
+- The kernel-libipsec plugin always installs routes even if no address is found
+ in the local traffic selectors.
+
+- Increased the default receive buffer size for Netlink sockets to 8 MiB and
+ simplified its configuration.
+
+- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
+ always generating a hash of the subjectPublicKey.
+
+- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
+ timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
+ unrelated traffic selectors.
+
+- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
+ instead callbacks are always invoked even if only errors are signaled.
+
+- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
+ handling invalid messages.
+
+- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
+
+- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
+ CHILD_SA is not found during rekeying.
+
+- The testing environment is now based on Debian 12 (bookworm), by default.
+
+
+strongswan-5.9.11
+-----------------
+
+- A deadlock in the vici plugin has been fixed that could get triggered when
+ multiple connections were initiated/terminated concurrently and control-log
+ events were raised by the watcher_t component.
+
+- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit
+ encoded (even if it's a CA), or a CA certificate without keyUsage extension.
+
+- Optional CA labels in EST server URIs are supported by `pki --est/estca`.
+
+- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and
+ openssl plugins, which allows verifying RSA-PSS and ECDSA signatures.
+
+- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or
+ earlier that was introduced with 5.9.10.
+
+- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2.
+
+- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and
+ gained support for trap policies.
+
+- The dhcp plugin uses an alternate method to determine the source address
+ for unicast DHCP requests that's not affected by interface filtering.
+
+- Certificate and trust chain selection as initiator has been improved in case
+ the local trust chain is incomplete and an unrelated certreq is received.
+
+- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin.
+
+- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass
+ policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer.
+
+- Stale OCSP responses are now replace in-place in the certificate cache.
+
+- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`.
+
+
+strongswan-5.9.10
+-----------------
+
+- Fixed a vulnerability related to certificate verification in TLS-based EAP
+ methods that leads to an authentication bypass followed by an expired pointer
+ dereference that results in a denial of service and possibly even remote code
+ execution.
+ This vulnerability has been registered as CVE-2023-26463.
+
+- Added support for full packet hardware offload for IPsec SAs and policies with
+ Linux 6.2 kernels to the kernel-netlink plugin.
+
+- TLS-based EAP methods now use the standardized key derivation when used
+ with TLS 1.3.
+
+- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
+ implementing the "protected success indication".
+
+- With the `prefer` value for the `childless` setting, initiators will create
+ a childless IKE_SA if the responder supports the extension.
+
+- Routes via XFRM interfaces can optionally be installed automatically by
+ enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
+
+- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
+ issues with name resolution if they are supported by the kernel.
+
+- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
+ PKCS#10 certificate signing request.
+
+- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
+ (replace them completely, or adding/removing specific flags).
+
+- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
+ IPsec SAs instead of the policies.
+
+- For libcurl with MultiSSL support, the curl plugin provides an option to
+ select the SSL/TLS backend.
+
+
+strongswan-5.9.9
+----------------
+
+- The charon.reqid_base setting allows specifying the first reqid that's
+ automatically assigned to a CHILD_SA.
+
+- The path/command for resolvconf(8) used by the resolve plugin is now
+ configurable.
+
+- The resolve plugin doesn't generate unique interface names for name servers
+ anymore. Instead, all available name servers are associated with a single,
+ configurable interface name.
+
+- Serial numbers of certificates and CRLs are now always returned in canonical
+ form (i.e. without leading zeros).
+
+- The kernel-netlink plugin now logs extended ACK error/warning messages.
+
+
+strongswan-5.9.8
+----------------
+
+- Fixed a vulnerability related to accessing untrusted OCSP URIs and CDPs in
+ certificates that could lead to a denial-of-service attack.
+ This vulnerability has been registered as CVE-2022-40617.
+
+- The pki --scep|--scepca commands support the HTTP-based "Simple Certificate
+ Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated
+ scepclient that has been removed.
+
+- The pki --est|estca commands support the HTTPS-based "Enrollment over Secure
+ Transport" (RFC 7030 EST) protocol.
+
+- The pki --req command can create a certificate request based on an existing
+ PKCS#10 template by replacing the public key and re-generating the signature
+ with the new private key.
+
+- For IKEv2, the ike_updown() "up" event and the state change to IKE_ESTABLISHED
+ are now triggered after all IKE-related tasks are done.
+
+- The ike_cfg_t object is now always replaced together with the peer_cfg_t
+ object that's set on an IKE_SA during authentication.
+
+- The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests
+ can be completed successfully with just the default plugins.
+
+- The socket plugins don't set the SO_REUSEADDR option anymore on the IKE UDP
+ sockets, so an error is triggered if e.g. two daemons (e.g. charon and
+ charon-systemd) are running concurrently using the same ports.
+
+- The charon.rsa_pss_trailerfield setting generates an algorithmIdentifier with
+ explicit trailerField.
+
+
+strongswan-5.9.7
+----------------
+
+- The IKEv2 key derivation is now delayed until the keys are actually needed for
+ the next message. Instead of deriving the keys while processing an IKE_SA_INIT
+ request, it's delayed until the corresponding IKE_AUTH request is received.
+ DH implementations now must do costly public key validation and the key
+ derivation in get_shared_secret().
+
+- Inbound IKEv2 messages are not parsed immediately anymore, instead we first
+ check a request's MID and compare its hash to that of the previous request to
+ decide if it's a valid retransmit (for fragmented message we only keep track
+ of the first fragment, so we don't have to wait for all fragments and
+ reconstruct the message, which we did before).
+
+- The retransmission logic in the dhcp plugin has been fixed so that four
+ retransmits are sent per DHCP request over a total of 15 seconds (previously,
+ it could happen that all were sent within the same second without any time
+ to actually wait for a response).
+
+- The connmark plugin now considers configured masks in installed firewall
+ rules, which allows using the upper parts of the mark value for other
+ purposes. Just consider that the daemon might have to be restarted regularly
+ to reset the global unique mark counter as that's unaware of any masks.
+
+- Child config selection has been improved as responder in cases where multiple
+ children use transport mode traffic selectors.
+
+- The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings.
+
+- The openssl plugin supports AES and Camellia in CTR mode.
+
+
+strongswan-5.9.6
+----------------
+
+- The IKEv2 key derivation, in particular prf+, has been modularized to simplify
+ certification (e.g. FIPS-140) via an already certified third-party library.
+ The botan, openssl and wolfssl plugins implement the key derivation for
+ HMAC-based PRFs via their respective HKDF implementation. A generic
+ implementation is provided by the new kdf plugin.
+
+- Labeled IPsec with IKEv2 is supported in an SELinux and a proprietary simple
+ mode. In SELinux mode, traffic that matches a trap policy with generic
+ context (e.g. system_u:object_r:ipsec_spd_t:s0) triggers the negotiation of
+ CHILD_SAs with a specific label. With the simple mode, labels are not set on
+ SAs/policies but can be used as identifier to select specific child configs.
+
+- DoS protection has been improved: COOKIE secrets are now switched based on a
+ time limit (2 min.), a new per-IP threshold (default 3) is used to trigger
+ them, and unprocessed IKE_SA_INITs are already counted as half-open IKE_SAs.
+
+- Initiating duplicate CHILD_SAs within the same IKE_SA is largely prevented.
+
+- Immediately initiating a CHILD_SA with trap policies is now possible via
+ `start_action=trap|start`.
+
+- If the source address is unknown when initiating an IKEv2 SA, a NAT situation
+ is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing
+ asymmetric enabling of UDP-encapsulation.
+
+- Installing unnecessary exclude routes for VPN servers on FreeBSD is avoided.
+
+- The new `map_level` option for syslog loggers allows mapping log levels
+ to syslog levels starting at the specified number.
+
+- The addrblock plugin allows limiting the validation depth of issuer addrblock
+ extensions.
+
+- The default AEAD ESP proposal (sent since 5.9.0) now includes `noesn` to make
+ it standards-compliant.
+
+- Individual CHILD_SAs can be queried via the `list-sas` vici command (or
+ `swanctl --list-sas ), either by unique ID or name.
+
+- Compatibility with OpenSSL 3.0 has been improved.
+
+
+strongswan-5.9.5
+----------------
+
+- Fixed a vulnerability in the EAP client implementation that was caused by
+ incorrectly handling early EAP-Success messages. It may allow to bypass the
+ client and in some scenarios even the server authentication, or could lead to
+ a denial-of-service attack.
+ This vulnerability has been registered as CVE-2021-45079.
+
+- Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now
+ establish a secure session via RSA encryption or an ephemeral ECDH key
+ exchange, respectively. The session allows HMAC-based authenticated
+ communication with the TPM 2.0 and the exchanged parameters can be encrypted
+ where necessary to guarantee confidentiality (e.g. when using the TPM as RNG).
+
+- Basic support for OpenSSL 3.0 has been added, in particular, the new
+ load_legacy option (enabled by default) allows loading the "legacy" provider
+ for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the
+ existing fips_mode option allows explicitly loading the "fips" provider e.g.
+ if it's not activated in OpenSSL's fipsmodule.cnf.
+
+- The MTU of TUN devices created by the kernel-pfroute plugin on macOS and
+ FreeBSD is now configurable and reduced to 1400 bytes, by default. This also
+ fixes an issue on macOS 12 that prevented the detection of virtual IPs
+ installed on such TUN devices.
+
+- When rekeying CHILD_SAs, the old outbound SA is now uninstalled shortly after
+ the new SA has been installed on the initiator/winner. This is useful for
+ IPsec implementations where the ordering of SAs is unpredictable and we can't
+ set the SPI on the outbound policy to switch to the new SA while both are
+ installed.
+
+- The sw-collector utility may now iterate through APT history logs processed
+ by logrotate.
+
+- The openssl plugin now only announces the ECDH groups actually supported by
+ OpenSSL (determined via EC_get_builtin_curves()).
+
+
+strongswan-5.9.4
+----------------
+
+- Fixed a denial-of-service vulnerability in the gmp plugin that was caused by
+ an integer overflow when processing RSASSA-PSS signatures with very large
+ salt lengths.
+ This vulnerability has been registered as CVE-2021-41990.
+
+- Fixed a denial-of-service vulnerability in the in-memory certificate cache
+ if certificates are replaced and a very large random value caused an integer
+ overflow.
+ This vulnerability has been registered as CVE-2021-41991.
+
+- Fixed a related flaw that caused the daemon to accept an infinite number of
+ versions of a valid certificate by modifying the parameters in the
+ signatureAlgorithm field of the outer X.509 Certificate structure.
+
+- AUTH_LIFETIME notifies are now only sent by a responder if it can't
+ reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP)
+ or the use of virtual IPs.
+
+- Serial number generation in several pki sub-commands has been fixed so they
+ don't start with an unintended zero byte.
+
+- Initialize libtpmtss in all programs and library that use it.
+
+- Migrated testing scripts to Python 3.
+
+
+strongswan-5.9.3
+----------------
+
+- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
+
+- Added AES_CCM and SHA-3 signature support to openssl plugin.
+
+- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
+ available, before verifying signatures, which avoids unnecessary signature
+ verifications after a CA key rollover if both certificates are loaded.
+
+- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
+ previously depended on a version check.
+
+- charon-nm now supports using SANs as client identities, not only full DNs.
+
+- charon-tkm now handles IKE encryption.
+
+- A MOBIKE update is sent again if a a change in the NAT mappings is detected
+ but the endpoints stay the same.
+
+- Converted most of the test case scenarios to the vici interface
+
+
+strongswan-5.9.2
+----------------
+
+- Together with a Linux 5.8 kernel supporting the IMA measurement of the GRUB
+ bootloader and the Linux kernel, the strongSwan Attestation IMC allows to do
+ remote attestation of the complete boot phase. A recent TPM 2.0 device with a
+ SHA-256 PCR bank is required, so that both BIOS and IMA file measurements are
+ based on SHA-256 hashes.
+
+- Our own TLS library (libtls) that we use for TLS-based EAP methods and PT-TLS
+ gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and
+ Pascal Knecht (client and server) for their work on this.
+ Because the use of TLS 1.3 with these EAP methods is not yet standardized (two
+ Internet-Drafts are being worked on), the default maximum version is currently
+ set to TLS 1.2, which is now also the default minimum version. However the TNC
+ test scenarios using PT-TLS transport already use TLS 1.3.
+
+- Other improvements for libtls also affect older TLS versions. For instance, we
+ added support for ECDH with Curve25519/448 (DH groups may also be configured
+ now), for EdDSA keys and certificates and for RSA-PSS signatures. Support for
+ old and weak cipher suites has been removed (e.g. with 3DES and MD5) as well
+ as signature schemes with SHA-1.
+
+- The listener_t::ike_update event is now also called for MOBIKE updates. Its
+ signature has changed so we only have to call it once if both addresses/ports
+ have changed (e.g. for an address family switch). The event is now also
+ exposed via vici.
+
+- The farp plugin has been ported to macOS and FreeBSD. Thanks to Dan James for
+ working on this.
+
+- To fix DNS server installation with systemd-resolved, charon-nm now creates a
+ dummy TUN device again (was removed with 5.5.1).
+
+- The botan plugin can use rng_t implementations provided by other plugins when
+ generating keys etc. if the Botan library supports it.
+
+- charon-tkm now supports multiple CAs and is configured via vici/swanctl.
+
+- Simple glob patterns (e.g. include conf.d/*.conf) now also work on Windows.
+ Handling of forward slashes in paths on Windows has also been improved.
+
+- The abbreviations for the 'surname' and 'serial number' RDNs in ASN.1 DNs have
+ been changed to align with RFC 4519: The abbreviation for 'surname' is now
+ "SN" (was "S" before), which was previously used for 'serial number' that can
+ now be specified as "serialNumber" only.
+
+- An issue with Windows clients requesting previous IPv6 but not IPv4 virtual
+ IP addresses has been fixed.
+
+- ike_sa_manager_t: Checking out IKE_SAs by config is now atomic (e.g. when
+ acquires for different children of the same connection arrive concurrently).
+ The checkout_new() method has been renamed to create_new(). A new
+ checkout_new() method allows registering a new IKE_SA with the manager before
+ checking it in, so jobs can be queued without losing them as they can block
+ on checking out the new SA.
+
+
+strongswan-5.9.1
+----------------
+
+- Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI
+ measurements introduced with the Linux 5.4 kernel.
+
+- Nonces in OCSP responses are not enforced anymore and only validated if a
+ nonce is actually contained.
+
+- Fixed an issue when only some fragments of a retransmitted IKEv2 message were
+ received, which prevented processing a following fragmented message.
+
+- All queued vici messages are now sent to subscribed clients during shutdown,
+ which includes ike/child-updown events triggered when all SAs are deleted.
+
+- CHILD_SA IP addresses are updated before installation to allow MOBIKE updates
+ while retransmitting a CREATE_CHILD_SA request.
+
+- When looking for a route to the peer, the kernel-netlink plugin ignores the
+ current source address if it's deprecated.
+
+- The file and syslog loggers support logging the log level of each message
+ after the subsystem (e.g. [IKE2]).
+
+- charon-nm is now properly terminated during system shutdown.
+
+- Improved support for EdDSA keys in vici/swanctl, in particular, encrypted
+ keys are now supported.
+
+- A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID
+ to prevent Cisco devices from narrowing a 0.0.0.0/0 traffic selector.
+
+- The openssl plugin accepts CRLs issued by non-CA certificates if they contain
+ the cRLSign keyUsage flag (the x509 plugin already does this since 4.5.1).
+
+- Attributes in PKCS#7 containers, as used in SCEP, are now properly
+ DER-encoded, i.e. sorted.
+
+- The load-tester plugin now supports virtual IPv6 addresses and IPv6 source
+ address pools.
+
+
+strongswan-5.9.0
+----------------
+
+- We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD
+ proposal in front of the previous default proposal.
+
+- The NM backend now clears cached credentials when disconnecting, has DPD and
+ and close action set to restart, and supports custom remote TS via 'remote-ts'
+ option (no GUI support).
+
+- The pkcs11 plugin falls back to software hashing for PKCS#1v1.5 RSA signatures
+ if mechanisms with hashing (e.g. CKM_SHA256_RSA_PKCS) are not supported.
+
+- The owner/group of log files is now set so the daemon can reopen them if the
+ config is reloaded and it doesn't run as root.
+
+- The wolfssl plugin (with wolfSSL 4.4.0+) supports x448 DH and Ed448 keys.
+
+- The vici plugin stores all CA certificates in one location, which avoids
+ issues with unloading authority sections or clearing all credentials.
+
+- When unloading a vici connection with start_action=start, any related IKE_SAs
+ without children are now terminated (including those in CONNECTING state).
+
+- The hashtable implementation has been changed so it maintains insertion order.
+ This was mainly done so the vici plugin can store its connections in a
+ hashtable, which makes managing high numbers of connections faster.
+
+- The default maximum size for vici messages (512 KiB) can now be changed via
+ VICI_MESSAGE_SIZE_MAX compile option.
+
+- The charon.check_current_path option allows forcing a DPD exchange to check if
+ the current path still works whenever interface/address-changes are detected.
+
+- It's possible to use clocks other than CLOCK_MONOTONIC (e.g. CLOCK_BOOTTIME)
+ via TIME_CLOCK_ID compile option if clock_gettime() is available and
+ pthread_condattr_setclock() supports that clock.
+
+- Test cases and functions can now be filtered when running the unit tests.
+
+
+strongswan-5.8.4
+----------------
+
+- In IKEv1 Quick Mode make sure that a proposal exists before determining
+ lifetimes (fixes crash due to null pointer exception).
+
+- OpenSSL currently doesn't support squeezing bytes out of a SHAKE128/256
+ XOF (eXtended Output Function) multiple times. Unfortunately,
+ EVP_DigestFinalXOF() completely resets the context and later calls not
+ simply fail, they cause a null-pointer dereference in libcrypto. This
+ fixes the crash at the cost of repeating initializing the whole state
+ and allocating too much data for subsequent calls.
+
+
+strongswan-5.8.3
+----------------
+
+- Updates for the NM backend (and plugin), among others: EAP-TLS authentication,
+ configurable local and remote IKE identities, custom server port, redirection
+ and reauthentication support.
+
+- Previously used reqids are now reallocated to workaround an issue on FreeBSD
+ where the daemon can't use reqids > 16383.
+
+- On Linux, throw type routes are installed for passthrough policies. They act
+ as fallbacks on routes in other tables and require less information, so they
+ can be installed earlier and are not affected by updates.
+
+- For IKEv1, the lifetimes of the selected transform are returned to the
+ initiator, which is an issue with peers that propose different lifetimes in
+ different transforms. We also return the correct transform and proposal IDs.
+
+- IKE_SAs are not re-established anymore if a deletion has been queued.
+
+- Added support for Ed448 keys and certificates via openssl plugin and pki tool.
+ The openssl plugin also supports SHA-3 and SHAKE128/256.
+
+- The use of algorithm IDs from the private use ranges can now be enabled
+ globally, to use them even if no strongSwan vendor ID was exchanged.
+
+
+strongswan-5.8.2
+----------------
+
+- Identity-based CA constraints are supported via vici/swanctl.conf. They
+ enforce that the remote's certificate chain contains a CA certificate with a
+ specific identity. While similar to the existing CA constraints, they don't
+ require that the CA certificate is locally installed such as intermediate CA
+ certificates received from peers. Compared to wildcard identity matching (e.g.
+ "..., OU=Research, CN=*") this requires less trust in the intermediate CAs (to
+ only issue certificates with legitimate subject DNs) as long as path length
+ basic constraints prevent them from issuing further intermediate CAs.
+
+- Intermediate CA certificates may now be sent in hash-and-URL encoding by
+ configuring a base URL for the parent CA.
+
+- Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
+ based on AES-CTR and SHA2-HMAC modes. Currently used by gmp and ntru plugins.
+
+- Random nonces sent in an OCSP requests are now expected in the corresponding
+ OCSP responses.
+
+- The kernel-netlink plugin ignores deprecated IPv6 addresses for MOBIKE.
+ Whether temporary or permanent IPv6 addresses are included depends on the
+ charon.prefer_temporary_addrs setting.
+
+- Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the
+ kernel.
+
+- Unique section names are used for CHILD_SAs in vici child-updown events and
+ more information (e.g. statistics) are included for individually deleted
+ CHILD_SAs (in particular for IKEv1).
+
+- So fallbacks to other plugins work properly, creating HMACs via openssl plugin
+ now fails instantly if the underlying hash algorithm isn't supported (e.g.
+ MD5 in FIPS-mode).
+
+- Exponents of RSA keys read from TPM 2.0 via SAPI are now correctly converted.
+
+- Routing table IDs > 255 are supported for custom routes on Linux.
+
+- The D-Bus config file for charon-nm is now installed in
+ $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d.
+
+- INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same
+ exchange type and using the same message ID as the request.
+
+- IKEv2 SAs are immediately destroyed when sending or receiving INVALID_SYNTAX
+ notifies in authenticated messages.
+
+
+strongswan-5.8.1
+----------------
+
+- RDNs in Distinguished Names can now optionally be matched less strict. The
+ global option charon.rdn_matching takes two alternative values that cause the
+ matching algorithm to either ignore the order of matched RDNs or additionally
+ accept DNs that contain more RDNs than configured (unmatched RDNs are treated
+ like wildcard matches).
+
+- The updown plugin now passes the same interface to the script that is also
+ used for the automatically installed routes, i.e. the interface over which the
+ peer is reached instead of the interface on which the local address is found.
+
+- TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple
+ IKE_SAs use the same private key concurrently.
+
+
+strongswan-5.8.0
+----------------
+
+- The systemd service units have been renamed. The modern unit, which was called
+ strongswan-swanctl, is now called strongswan (the previous name is configured
+ as alias). The legacy unit is now called strongswan-starter.
+
+- Support for XFRM interfaces (available since Linux 4.19) has been added.
+ Configuration is possible via swanctl.conf. Interfaces may be created
+ dynamically via updown/vici scripts, or statically before or after
+ establishing the SAs. Routes must be added manually as needed (the daemon will
+ not install any routes for outbound policies with an interface ID).
+
+- Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and
+ supported by the responder, no CHILD_SA is established during IKE_AUTH. This
+ allows using a separate DH exchange even for the first CHILD_SA, which is
+ otherwise created with keys derived from the IKE_SA's key material.
+
+- The NetworkManager backend and plugin support IPv6.
+
+- The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks
+ to Sean Parkinson of wolfSSL Inc. for the initial patch.
+
+- IKE SPIs may optionally be labeled via the charon.spi_mask|label options. This
+ feature was extracted from charon-tkm, however, now applies the mask/label in
+ network order.
+
+- The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
+
+- The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not
+ correctly implemented when sending either a CRETRY or SRETRY batch. These
+ batches can only be sent in the "Decided" state and a CRETRY batch can
+ immediately carry all messages usually transported by a CDATA batch. It is
+ currently not possible to send a SRETRY batch since full-duplex mode for
+ PT-TLS transport is not supported.
+
+- Instead of marking virtual IPv6 addresses as deprecated, the kernel-netlink
+ plugin uses address labels to avoid their use for non-VPN traffic.
+
+- The agent plugin creates sockets to the ssh/gpg-agent dynamically and does not
+ keep them open, which otherwise can prevent the agent from getting terminated.
+
+- To avoid broadcast loops the forecast plugin now only reinjects packets that
+ are marked or received from the configured interface.
+
+- UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses
+ an UTF-16LE encoding to calculate the NT hash.
+
+- Adds the build-certs script to generate the keys and certificates used for
+ regression tests dynamically. They are built with the pki version installed
+ in the KVM root image so it's not necessary to have an up-to-date version with
+ all required plugins installed on the host system.
+
+
+strongswan-5.7.2
+----------------
+
+- Private key implementations may optionally provide a list of supported
+ signature schemes, which is used by the tpm plugin because for each key on a
+ TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
+
+- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt
+ length (as defined by the length of the key and hash). However, if the TPM is
+ FIPS-168-4 compliant, the salt length equals the hash length. This is assumed
+ for FIPS-140-2 compliant TPMs, but if that's not the case, it might be
+ necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't
+ use the maximum salt length.
+
+- swanctl now accesses directories for credentials relative to swanctl.conf, in
+ particular, when it's loaded from a custom location via --file argument. The
+ base directory that's used if --file is not given is configurable at runtime
+ via SWANCTL_DIR environment variable.
+
+- With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to
+ Access-Request messages, simplifying associating database entries for IP
+ leases and accounting with sessions.
+
+- IPs assigned by RADIUS servers are included in Accounting-Stop even if clients
+ don't claim them, allowing releasing them early on connection errors.
+
+- Selectors installed on transport mode SAs by the kernel-netlink plugin are
+ updated on IP address changes (e.g. via MOBIKE).
+
+- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin.
+ For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature
+ authentication has to be disabled via charon.signature_authentication.
+
+- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
+
+- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys
+ and signatures when built against OpenSSL 1.1.1.
+
+- Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
+
+- The mysql plugin now properly handles database connections with transactions
+ under heavy load.
+
+- IP addresses in HA pools are now distributed evenly among all segments.
+
+- On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly
+ from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by
+ the plugin, e.g. for compatibility with if_ipsec(4) VTIs.
+
+
+strongswan-5.7.1
+----------------
+
+- Fixes a vulnerability in the gmp plugin triggered by crafted certificates with
+ RSA keys with very small moduli. When verifying signatures with such keys,
+ the code patched with the fix for CVE-2018-16151/2 caused an integer underflow
+ and subsequent heap buffer overflow that results in a crash of the daemon.
+ The vulnerability has been registered as CVE-2018-17540.
+
+
+strongswan-5.7.0
+----------------
+
+- Fixes a potential authorization bypass vulnerability in the gmp plugin that
+ was caused by a too lenient verification of PKCS#1 v1.5 signatures. Several
+ flaws could be exploited by a Bleichenbacher-style attack to forge signatures
+ for low-exponent keys (i.e. with e=3). CVE-2018-16151 has been assigned to
+ the problem of accepting random bytes after the OID of the hash function in
+ such signatures, and CVE-2018-16152 has been assigned to the issue of not
+ verifying that the parameters in the ASN.1 algorithmIdentifier structure is
+ empty. Other flaws that don't lead to a vulnerability directly (e.g. not
+ checking for at least 8 bytes of padding) have no separate CVE assigned.
+
+- Dots are not allowed anymore in section names in swanctl.conf and
+ strongswan.conf. This mainly affects the configuration of file loggers. If the
+ path for such a log file contains dots it now has to be configured in the new
+ `path` setting within the arbitrarily renamed subsection in the `filelog`
+ section.
+
+- Sections in swanctl.conf and strongswan.conf may now reference other sections.
+ All settings and subsections from such a section are inherited. This allows
+ to simplify configs as redundant information has only to be specified once
+ and may then be included in other sections (refer to the example in the man
+ page for strongswan.conf).
+
+- The originally selected IKE config (based on the IPs and IKE version) can now
+ change if no matching algorithm proposal is found. This way the order
+ of the configs doesn't matter that much anymore and it's easily possible to
+ specify separate configs for clients that require weak algorithms (instead
+ of having to also add them in other configs that might be selected).
+
+- Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2)
+ has been added.
+
+- The new botan plugin is a wrapper around the Botan C++ crypto library. It
+ requires a fairly recent build from Botan's master branch (or the upcoming
+ 2.8.0 release). Thanks to René Korthaus and his team from Rohde & Schwarz
+ Cybersecurity for the initial patch.
+
+- The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using
+ the syntax --san xmppaddr:<jid>.
+
+- Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA)
+ for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger on apt
+ history.log file resulting in a ClientRetry PB-TNC batch to initialize
+ a new measurement cycle.
+
+- Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA
+ protocols on Google's OSS-Fuzz infrastructure.
+
+- Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of
+ the in-kernel /dev/tpmrm0 resource manager is automatically detected.
+
+- Marks the in- and/or outbound SA should apply to packets after processing may
+ be configured in swanctl.conf on Linux. For outbound SAs this requires at
+ least a 4.14 kernel. Setting a mask and configuring a mark/mask for inbound
+ SAs will be added with the upcoming 4.19 kernel.
+
+- New options in swanctl.conf allow configuring how/whether DF, ECN and DS
+ fields in the IP headers are copied during IPsec processing. Controlling this
+ is currently only possible on Linux.
+
+- To avoid conflicts, the dhcp plugin now only uses the DHCP server port if
+ explicitly configured.
+
+
+strongswan-5.6.3
+----------------
+
+- Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is
+ used in FIPS mode and HMAC-MD5 is negotiated as PRF.
+ This vulnerability has been registered as CVE-2018-10811.
+
+- Fixed a vulnerability in the stroke plugin, which did not check the received
+ length before reading a message from the socket. Unless a group is configured,
+ root privileges are required to access that socket, so in the default
+ configuration this shouldn't be an issue.
+ This vulnerability has been registered as CVE-2018-5388.
+
+⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios
+ where expired certificates are removed from CRLs and the clock on the host
+ doing the revocation check is trailing behind that of the host issuing CRLs.
+
+- The issuer of fetched CRLs is now compared to the issuer of the checked
+ certificate.
+
+- CRL validation results other than revocation (e.g. a skipped check because
+ the CRL couldn't be fetched) are now stored also for intermediate CA
+ certificates and not only for end-entity certificates, so a strict CRL policy
+ can be enforced in such cases.
+
+- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
+ now either not contain a keyUsage extension (like the ones generated by pki)
+ or have at least one of the digitalSignature or nonRepudiation bits set.
+
+- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
+ This might be useful in situations where it's known the other end is not
+ reachable anymore, or that it already removed the IKE_SA, so retransmitting a
+ DELETE and waiting for a response would be pointless. Waiting only a certain
+ amount of time for a response before destroying the IKE_SA is also possible
+ by additionally specifying a timeout.
+
+- When removing routes, the kernel-netlink plugin now checks if it tracks other
+ routes for the same destination and replaces the installed route instead of
+ just removing it. Same during installation, where existing routes previously
+ weren't replaced. This should allow using traps with virtual IPs on Linux.
+
+- The dhcp plugin only sends the client identifier option if identity_lease is
+ enabled. It can also send identities of up to 255 bytes length, instead of
+ the previous 64 bytes. If a server address is configured, DHCP requests are
+ now sent from port 67 instead of 68 to avoid ICMP port unreachables.
+
+- Roam events are now completely ignored for IKEv1 SAs.
+
+- ChaCha20/Poly1305 is now correctly proposed without key length. For
+ compatibility with older releases the chacha20poly1305compat keyword may be
+ included in proposals to also propose the algorithm with a key length.
+
+- Configuration of hardware offload of IPsec SAs is now more flexible and allows
+ a new mode, which automatically uses it if the kernel and device support it.
+
+- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
+
+- The pki --verify tool may load CA certificates and CRLs from directories.
+
+- Fixed an issue with DNS servers passed to NetworkManager in charon-nm.
+
+